Books

Tech Quotes

Blog topics

Drupal 6, now more than ever

13 February 2008 - 12:38pm — Larry

For those who haven't really been following it, several hundred contributors, 13 months, and tens of thousands of lines of code have gone into making the only version of Drupal ever that is better than Drupal 5. So, naturally, we've released it and called it Drupal 6.

Drupal 6 boasts a boat load of new functionality, ranging from Ajaxy yumminess throughout the system to native support for OpenID to vastly enhanced multi-lingual support. Several entire subsystems have been either overhauled or totally rewritten to proivde more power, flexibility, and speed. The official press release has the complete rundown, or for the more visually inclined there's a new features screencast. For me, though, the new theming system is feature numero uno.

At Palantir, we specialize in making sites that don't look at all like Drupal. That means we're frequently bending the theme system to its limits and doing some wacky and crazy (but cool!) things with it. Often, though, we find ourselves running into places where something is more complex than it needs to be. In Drupal 6, the theme system has been almost entirely rewritten to be more template-centric. That's great news for our themers, as it means there's more they can do without having to bother the programmers (me). That makes it great news for me, too. :-)

Moreover, important changes in the way Drupal's default HTML is built make skinning it much easier. That, in turn, means CSS wizards can do far more with just CSS, without having to mess around with template function or, god-forbid, PHP. Even if most high-end themes will still involve some HTML and PHP work, the more design work can be off-loaded on CSS, the cleaner the whole theme becomes. It's even possible for modules to inject new values into each other's template files cleanly, for vastly improved system modularity.

I noticed that there wasn't any mention of security-related issues in your post. So I guess the Drupal folks preferred to concentrate on "AJAXy yumminess" and other such things rather than fixing 101 vulnerabilities listed in NVD (nvd.nist.gov). Sure, the 6.0 release touts this as the "most secure Drupal release ever", but the "security features" they list, such as "Password strength checking", "Granular permissions", and "PHP format secured" have little to do with actual problems that exist in Drupal.

You do know that the search will result in a historical list of issues that have been documented? If you click on each issue, you'll see the link to the resolution/patch response. If one were to have currently updated modules, they would not be affected by the '101' vulnerabilities.

Also note that the vast majority of vulnerabilities originate in contributed modules. Very few pertain to the Drupal core.

Pull up the latest vulnerabilities (most recent is 2/5/08 as of this post) and you'll see links to the solution. The user typically needs to upgrade to the latest version. Drupal 6 introduces an update mechanism for installed modules. This will make it easier for site owners to see if they need to update modules.

That isn't to say that Drupal or any CMS is immune from vulnerabilities. It simply illustrates that the Drupal community responds quickly to security issues and that a current Drupal system has no known security vulnerabilities.

However, would you suggest a more secure CMS - one that's open source, feature rich, modular, and has a large install base?

There's dozens of new features in Drupal 6. I chose to concentrate on the one that is most directly applicable to my day job. That doesn't mean security isn't a concern.

As TheMemex mentioned, Drupal 6 does make it easier for site admins to keep their site up to date, which in any software product is key to ongoing security.

I'm not sure which "actual problems that exist in Drupal" you mean. The entire form handling system is designed around white-listing return values. The database layer enforces the use of prepared statement-like queries that automate escaping to prevent SQL injection. The theme system is designed to separate escaping from the template itself, making it easier to write templates safely; the new theming system in Drupal 6 improves that even more, making it even easier to write template files that are secure.

At the OSCMS Summit last spring in Sunnyvale, Rasmus Lerdorf, Yahoo's security guru and PHP project founder, presented a security hole in a half-dozen open source projects, including Drupal. Of those listed, Drupal's was by far the most obscure and difficult to exploit (it has since been fixed). He later commented that he almost didn't do that demonstration because he had to try very hard to find a hole in Drupal. That should say something about the seriousness with which the Drupal community takes security.

If you know of any open holes in Drupal 5 or Drupal 6, though, please do contact the security team to report it so we can get it fixed.

Drupal isn't about being able to install it in 5 minutes. Drupal is about installing it, and then being able to customise *every* *single* aspect of it's functionality and look and feel in a matter of days, *without* having to rewrite large chunks of the cms.

The Drupal community really step forward by releasing Drupal 6. There are a few key features I enjoy with #6 and even though it still required a lot of time, it is great nonetheless. Being able to do anything with Drupal is the main reason why I love it so much. Wordpress is a lot easier, but it is missing so many cool features.

I am into marketing my websits on the net, use several different platforms including WP, some PHP sites and a few other platforms. I think the Drupal platform looks nice, but I can not find 1 single post that explains in layman language as to why I would want to use this platform.

I think the platform would do qa lot better if the language was not so programmer specific. You guys are missing the mark by not just listing the benefits of the platform.

This scares guys like me who are not proficent at coding. I can handle html, with WP I can add widgets. It is simple, so if you want to "sell" your favored platform to the average blogger or website owner, you need to get to their level of understanding and show them the benefits.